Could someone briefly explain how to use QoS on Cisco ASA 5505? I have the basics of policing down, but what about shaping and priorities? Basically what I'm trying to do is carve out some bandwidth for my VPN subnets (in an object-group called priority-traffic).

I've seen this Cisco QoS document, however configuring shaping and priority-queue don't seem to have any effects in my test. A full download of the linux kernel from kernel.org will boost a ping to a server via VPN sky high. Policing has been successful in passing this test, although it doesn't seem as efficient (I cap non-vpn traffic at 3 of my 4.5 megabits of bandwidth). Am I misunderstanding the results of the test? I think there is some simple concept I'm not grasping here.

3 Answers
3

Traffic shaping is basically used to match devices with link speeds. It only affects interfaces and does not depend on type of traffic.

You cannot configure priority and policing for the same types of traffic. In other words, if you want to prioritize your group "priority-traffic", you would have to police all other traffic.

With priority traffic, think of QOS as a cup. You're identifying what traffic to prioritize by putting it in that cup...but what happens after that, you have no control over. You can only determine what traffic to put in your cup.

The policy-map as written is not assigning a bandwidth to your priority traffic and you are (most probably) using the wrong QoS mechanism for it. The priority designation is for traffic that should be expedited, typically RTP carrying audio (most commonly used for VoIP, but I've seen it used to shuffle broadcast audio from a mixing table across a WAN for further broadcasting as radio).

Any traffic that matches the priority class will be sent (up to the limit set, I don't know what it defaults to, there are two subtly different ways of doing it, depending on the IOS version, one takes a bandwidth and the other relies on a policer in the same class), before any other traffic in the time slot. It's rather heavily suggested by Cisco that you NEVER use priority on traffic that could be TCP, so "UDP only". Any traffic exceeding the (hard) limit for the priority traffic WILL be discarded.

Further, while not necessary, I've found that starting my QoS policies with the "most important" classes first makes them easier to read.